There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Design a flow and pattern to do a release rollout by region

The provided example service repo doesn't exist (at least I get a 404):
https://github.com/microsoft/containerized-microservices-pipeline#example-net-core-api-micro-service

Could you link an alternative repository?

• Is Istio ready as a service mesh in production?
  • If not, what is missing?

https://github.com/Azure/kube-advisor/

https://github.com/Azure/kubernetes-keyvault-flexvol
https://github.com/kubernetes/community/blob/master/contributors/devel/flexvolume.md

• Follow up if Key Vault flex volumes and AAD pod identity is production ready
• Using AAD pod identity
• Traefik uses flex volumes
• Middle tier API uses flex volumes
• Documentation updated

Here are a few k8s best practice repos we can review against our solution. This could possibly drive additional backlog items

https://github.com/shanepeckham/AKS_Security
https://github.com/Azure/k8s-best-practices
https://github.com/Azure/blackbelt-aks-hackfest

https://github.com/Azure/application-gateway-kubernetes-ingress

As a user deploying a k8s cluster via acs-engine, I want the same OMS/Log Analytics setup that I can get from deploying a AKS cluster

Acceptance Criteria:

• OMS/Log Analytics parity with AKS when deploying via acs-engine

As a user of this reference architecture I would like to know how to deploy highly available k8s clusters.

Acceptance Criteria:

• Ability to deploy a highly available cluster(s)
• Ability to turn on/off highly available feature during deployment
• Documentation on HA best practices

With the release of k8s 1.12, you can now deploy a cluster with Azure virtual machine scale sets using acs-engine. Cluster autoscaling was also added. More details here: https://kubernetes.io/blog/2018/10/08/support-for-azure-vmss--cluster-autoscaler-and-user-assigned-identity/

We should evaluate how well this works over availability sets.

• Requires k8s 1.12. If user tries to deploy VMSS where k8s < 1.12, script should fail with the appropriate error
• 1.12 k8s cluster with VMSS
  • VMSS node pool
  • VMSS masters?
• cluster autoscaler

Design how we can redesign the deployment scripts to make them generic, interactive and reusable so there is no need to modify the scripts by hand for any project. We should also include CI/CD task deployment as part of the design.

First step is to get a meeting together and start a design doc to get in agreement on what the requirements are and how we will build it. Additional user stories should be created as a result of this.

Possible options to explore:

• Azure CLI extension
• VS Code extension
• kubectl plugin (requires 1.12 of CLI)
• Aure ARM template

Both AKS and acs-engine support RBAC. When deploying a cluster, add the ability to switch RBAC on/off.

AKS currently has the ability to switch this on/off. RBAC is enabled by default in acs-engine

If RBAC is turned on, we should "wire up" the cluster with RBAC examples to give the user a good understanding of best practices using RBAC in a k8s cluster.

Acceptance Criteria:

• When deploying a cluster, user has ability to turn RBAC on or off
• Wire up and document RBAC policies for appropriate deployments, secrets etc.

• Example(s) using Azure resources
• Example(s) using open source resources

We should add some type of end to end testing that can be ran on PRs and PR merges.

Examples:

• Basic linting on deployment scripts
• Run scripts end-to-end and verify there are no errors
• Run basic operations on cluster to determine correct functionality
• Teardown cluster at the end of tests

Acceptance Criteria:

• On every PR and PR merge, I want the ability to run tests on the deployment scripts
• Documentation on end to end testing
• (Bonus) Azure DevOps pipeline YAML committed with steps

We have a pull request out for a yeoman generator that will setup CI/CD for a k8s microservice in Azure DevOps. We need to fix any issues on this PR, get it merged and integrate into this project.

PR:
DarqueWarrior/generator-team#22

Could we deploy the ingress object with routes as part of the CD process?

Add thorough documentation on how this should work.

Currently we only deploy a k8s cluster using acs-engine. Add the ability for the user to choose between AKS (managed) or ACS engine (self-managed).

• Add a flag in deployCluster.sh to switch on deploying acs-engine vs aks.
  • Deploying via acs-engine should be default ie AKS flag committed as turned off
• Update Deployment.md with details on how to deploy AKS vs acs-engine

Possible refactoring: Split acs-engine deploy and AKS deploy into separate shell files

Applying the certificate is documented here. https://docs.microsoft.com/en-us/azure/aks/ingress-tls
Its suggested in this doc to use cert-manager but, the github for cert-manager clearly indicates its not production ready. Therefore, this issue should indicate how admins should rotate the certificate for ingress TLS before it expires.

Need to remove (rm -rf) or override folders and files created by ACS engine.

CD, daily, weekly etc